ARP Spoofing
An ARP spoofing attack takes advantage of the address resolution protocol that connects an IP address to a physical machine via a Media Access Control (MAC) address.
What is ARP Spoofing?
In an ARP spoofing attack an attacker sends false ARP messages over a local area network. This allows them to appear to be someone else to all the other devices on the network and intercept IP traffic and data meant for a legitimate computer or server on the network.
How ARP Spoofing Works
ARP spoofing attacks exploit ARP’s lack of authentication to manipulate network communications.
- The attacker scans the network to determine the IP addresses of at least two devices (typically a router and workstation) and uses a spoofing tool to send out forged ARP responses.
- The forged responses trick the router and workstation into thinking the attacker’s MAC address is the correct MAC address so that they connect to the attacker’s machine instead of each other.
- From that point on, they start communicating with the attacker’s device instead of with each other.
ARP spoofing allows the attacker to cause harm in numerous ways:
- Continue to route communication, but steal data.
- Alter communication, for example by sending malicious files.
- Hijack a session if they are able to obtain a session ID and gain access to user accounts.
- Launch a DDoS attack by providing the MAC address of a server and using that server to launch massive volumes of ARP packets to flood the service.
How to Prevent ARP Spoofing
There are various methods to mitigate the impact of ARP spoofing. A virtual private network (VPN) can encrypt communication, so it is of no value to the attacker. Defining a static ARP entry for an IP address can prevent an attacker from manipulating ARP responses for that address. Packing filtering solutions can determine the legitimacy of each ARP message and drop those that appear to be suspicious or malicious.
However, to stop ARP spoofing before network security and data integrity are compromised, advanced DDoS protection monitors the network for suspicious activity while using multi-site resiliency and intelligent traffic management to keep legitimate traffic flowing. When coupled with AI-assisted threat intelligence, it can continually learn from new data and adapt in real time to keep defenses sharp.
Get in Touch
It’s important to stay vigilant against ARP spoofing attacks and other types of DDoS attacks. Visit our threat intelligence research center for more information on DDoS defense in depth.
